How to add DNSSEC Records in Bind/Named – Linux/CWP/Centos

In this tutorial I’m going to instruct you how you can generate and enable DNSSEC security for DNS. This is most requested instruction by the visitors.

DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types like A, AAAA, MX, CNAME, etc. By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and wasn’t altered en-route, opposed to a fake record injected in a man-in-the-middle attack.

First install haveged to generate keys :
EL/centos/redhat

yum install -y haveged
systemctl enable haveged

In below command examples replace “domain.tld” with your domain name

Second Change the Directory to /var/named :

cd /var/named/

Third generate ZSK Key :

dnssec-keygen -L 3600 -a RSASHA256 -b 2048 -r /dev/urandom domain.tld

Fourth generate KSK key

dnssec-keygen -L 3600 -r /dev/urandom -f KSK -a RSASHA256 -b 4096 domain.tld

Fifth adding keys to domain zone file

cat /var/named/Kdomain.tld.+008+*.key >> /var/named/domain.tld.db

Sixth sign the zone file :

dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o domain.tld -t domain.tld.db

Seventh edit named configuration file /etc/named.conf and add this line

dnssec-lookaside auto;

** find this lines dnssec-enable yes; dnssec-validation yes; add dnssec-lookaside auto; after it

Now you need to edit domain zone file config in /etc/named.conf and rename the zone file to signed :

// zone domain.tld
zone "domain.tld" {type master; file "/var/named/domain.tld.db";};
// zone_end domain.tld

to

// zone domain.tld
zone "domain.tld" {type master; file "/var/named/domain.tld.db.signed";};
// zone_end domain.tld

Centos/el/RHEL Reload/Restart the named service :

service named reload
or
systemctl reload named

and you’re done.